How Does GDPR Affect US-Based Webmasters?

Europe’s GDPR (General Data Protection Regulation) is a data privacy law that went into effect in 2018. It is one of the biggest changes in the regulation of data privacy passed in the last 20 years.

The goal of GDPR is data protection for EU citizens, but it doesn’t affect only the businesses based in the EU, it affects all businesses that offer services or products to EU citizens or that processes the personal data of EU citizens and other people currently located within the EU.

It’s an 88 pages long document, and I will break down the most important information for US-based webmasters, in this article. The goal of this article is to help you understand GDPR, but do keep in mind that I am not a lawyer, so please don’t consider this article as legal advice.

Who Is Affected?

GDPR protects the data of EU residents and citizens. It affects everyone who collects and processes the data of EU citizens, even if the one who is processing data isn’t based in the EU. This means that even if you are running a small restaurant in Wyoming or just want to start a personal blog, you might be affected by GDPR. No matter where your website is located, if you are processing data, there is a chance that an EU citizen might visit your website, and thus you could be affected by GDPR.

GDPR doesn’t only cover EU residents and citizens. It also protects anyone who is in an EU country. If a US customer is traveling to Europe and opens your website while in Europe, then they might fall under GDPR’s rules, according to art. 3 of GDPR.

In short, GDPR protects anyone and their data who is in an EU country.

What Is Considered Personal Data?

GDPR applies to the processing concerns personal data of a real person. However, GDPR’s definition of personal data is wide; according to art. 4 of GDPR personal data is any information which is related to an identified or identifiable natural person. Furthermore, it states that data subjects are identifiable even if they can be indirectly identified based on that data. If you are wondering how “any information” should be interpreted, your answer should be as broad as possible.

It should go without saying that personal information such as ID numbers and location data are considered personal data. Any information that details genetic, mental, commercial, cultural, or any other form of person identity may also be considered personal data and, therefore, the law applies.

Even subjective information, such as opinions, may be considered personal data if it can be used to identify a person, according to art. 4 of GDPR.

Here’s a handy personal data list to reference:

• Name, ID, phone number, credit card information, email address and physical address
• IP address, cookie history, and location
• Gender and sexual orientation
• Biometric data
• Racial, cultural, and ethnic data
• Political opinions
• Brand preferences
• Any other form of personal information or opinion you can think of

What Does It Mean to Be GDPR Compliant?

The last two sections make GDPR look like a big, scary document waiting to fine you. Yes, GDPR is a serious document, but it actually isn’t that scary. With GDPR in power you can still collect and process any personal data but you have to do it with the explicit consent and transparency from those whose data you are processing, according to articles 7 and 5 of GDPR.

“Transparency” means that you can’t process the data of EU citizens without telling them what data you are processing and for what purposes.

“Explicit consent” means that you can’t process EU citizens’ personal information if they refuse or you have pre-checked boxes on your consent form that they have checked.

As long as you have clearly explained what data you are collecting and processing, and visitors to your website explicitly consented to that data being collected, you should be fine. Don’t forget, though, that all of this has to happen before you have collected any personal information from them.

You should also be careful when using any third-party tools that process personal data. According to GDPR art. 4, you could still be held responsible for that data a third-party is collecting or processing data on your behalf.

What Happens If You Don’t Comply?

This part of GDPR is clear. If a company is in breach of GDPR, it can be fined, and the fine in question is quite serious. According to art. 83 of GDPR your company could receive a fine of up to 4% of the annual global turnover of the company or €20 million, whichever is higher.

Privacy Policy

One of the first steps to undertake is to write a good privacy policy. Art. 13 of GDPR requires that anyone who is processing personal data states in a clear, understandable, and concise way which data is being processed.

Some of the questions your privacy policy should answer are:

• What data is being collected?
• How and why are you collecting it?
• How will you use it?
• Will you share it with anyone, and, if yes, who with?

Opt-in/Opt-out

Due to the explicit consent requirement, all your forms that concern data processing should be set to “No” by default.

GDPR also grants natural persons another right, the right to be forgotten (art. 17). At any time a person can request that their data be deleted from your database, to which you must comply. To make this task easier, you should make it simple for users to withdraw their permission.

Email Marketing List

Under GDPR, an email address is also considered personal data (art. 4). If you hold email records or email information through email marketing campaigns (for example, without asking for permission) you should go back and review those lists. Either delete all EU-based users from that list or ask all of them for permission.

Blocking IP Addresses

One of the solutions to avoid falling under GDPR is to block users from the EU from accessing your website.

However, if you decide on this approach you may still have to be careful in the implementation of the solution. In order to block users from the EU, your website will still have to process their IP address. According to GDPR’s definition of personal data, IP addresses are considered personal data and you can be fined for their processing and collection without the explicit consent of the user. However, there is a way to collect IP addresses for the purpose of blocking a user while still being compliant with GDPR.

One part of the GDPR gives the right to users not to be subject to decisions based solely on automated data processing. However, there is also a paragraph (par. 1b art. 6.) which states that this does not apply if the decision “is necessary for entering into, or performance of, a contract between the data subject and a data controller.”

So, you may state in your terms and conditions that your website is not for visitor use from the EU. Your terms and conditions serve as a contract between you and a visitor to your website; this means that blocking access to EU visitors is just an enforcement of that contract.

GDPR also protects European Economic Area countries, according to the “Third Countries” Issue. Some of these territories are not in Europe so you will have to block those countries as well. These are the Azores, Canary Islands, Guadeloupe, French Guiana, Madeira, Martinique, Mayotte, Reunion, and Saint Martin.

One more important thing when blocking IPs from the EU is to collect no other data besides the IP of the country from which the user is trying to access your website. Even if all that you know about the user is the country, they’ll still remain unidentifiable. To do this you should set your website to block users before your Google analytics, and any other data processing tools you might be using, start to collect data.

Privacy Shield

The EU-US Privacy Shield (Issue: Third Countries) is a framework created to allow the transfer of personal data from the EU to the US. The EU doesn’t allow the transfer of data to other countries unless they have adequate data protection laws. The US doesn’t meet this requirement so the Privacy Shield was created to correct this problem. It is the framework that certifies US companies as secure enough to transfer data outside of the EU.

Joining the Privacy Shield program is a good way to jump start your company on the road to becoming GDPR compliant. However, joining does not make you GDPR bulletproof. Even as part of the program, you should still double check if your business is completely GDPR compliant or you could pay enormous fines, as mentioned above.

Conclusion

GDPR is a law that will most likely affect you if you are running a website, no matter where you are in the world. It is a strict law which could result in possibly serious fines for anyone who breaches it.

At first glance, it seems hard work to become GDPR compliant, but ultimately, it is a fair law. You should inform users of your website about the ways you will be handling their data and ask for their permission in order to do so.

Instead of looking at GDPR as a complication, view it as an opportunity to build trust with your customers.

Author Bio: Karen Evans is a former college student who, after making real money learning how to build niche blogs, decided to go full time and hasn’t looked back since.

After seeing so many people waste time and money trying to learn how to create websites that make money she decided to create the ever-popular StartBloggingOnline.com.